CIAC J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks

Martin Horneffer Horneffer at rrz.Uni-Koeln.DE
Fri Nov 19 16:38:04 UTC 1999

With respect to CIAC J-063 / AUSCERT ALERT AL-1999.004
<> I just (partly) tried
to implement ACLs as suggested:

acl trusted {

options {
        allow-query { trusted; };

zone "Uni-Koeln.DE" {
        type master;
        file "Uni-Koeln.DE";
        allow-query { any; };

I immediatly started getting unapproved queries from many hosts that
incorrectly use our machine as their recursive nameserver. While that
doesn't really bother me, I noticed something else.
Queries concerning our zones are correctly let through if the queried
name exists. But when asked for a non-existent name within our domain,
our nameserver now answers "Query refused" instead of "Non-existent
host/domain". E.g.: 

linus:~% nslookup 
Server:  noc.rrz.Uni-Koeln.DE

*** noc.rrz.Uni-Koeln.DE can't find Query refused

Now that really bothers me! Is this correct behaviour and covered by the
behaviour of recursive nameservers, did I something wrong or is it a
bug?  And if it's not a bug: what shall I do with all the syslogs
concerning queries for non-existent names in our domains?

Martin Horneffer -- Horneffer at

More information about the bind-users mailing list